[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Tyler Close
tyler.close at gmail.com
Tue Sep 27 17:33:14 UTC 2005
Hi Antoine,
On 9/27/05, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Well, if Javascript allows the browser to fake a human being without the
> user being aware of it, I think there's nothing serious we can do
> against it.
Quite the contrary, I am proposing a solution: capability URLs.
> The only solution is to devise proper security inside
> Javascript, or to devise alerts in Web browsers when such a behaviour is
> detected.
The blog page is just doing a GET on a well known URL. We don't really
have a web if doing a GET is not safe operation.
The problem is not the GET, nor the Javascript, nor the Web browser.
The problem is the ACL based access control. The ACL model just
doesn't work when there is communication between users.
We don't need to further hamstring the browser, nor add more warning
dialogs. We just need to use an access control model that actually
controls access.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
More information about the P2p-hackers
mailing list